CVE-2026-23307 - Vulnerability Details

- can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message

Description

In the Linux kernel, the following vulnerability has been resolved:

can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message

When looking at the data in a USB urb, the actual_length is the size of
the buffer passed to the driver, not the transfer_buffer_length which is
set by the driver as the max size of the buffer.

When parsing the messages in ems_usb_read_bulk_callback() properly check
the size both at the beginning of parsing the message to make sure it is
big enough for the expected structure, and at the end of the message to
make sure we don't overflow past the end of the buffer for the next
message.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An improper length check in Linux's ems_usb driver allows malicious USB bulk messages to be processed, potentially causing a buffer overflow that corrupts kernel memory. This flaw, categorized as CWE‑805, can overwrite critical kernel structures and may lead to denial of service or, if exploited further, arbitrary code execution.

Affected Systems

The vulnerability affects any Linux kernel that includes the ems_usb driver. While the advisory does not list specific release numbers, all distributions shipping a kernel with this driver before the patch are potentially exposed.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% points to a low likelihood of observed exploitation. Based on the description, it is inferred that the attack vector requires a physical or compromised USB device that sends crafted bulk packets to the target system. The issue is not listed in CISA's KEV catalog, suggesting no widespread exploitation is known. Applying the vendor patch remains the best mitigation against this risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`702171adeed3607ee9603ec30ce081411e36ae42`	affected	< aed172a2e2330131f0977d2acd3ec8883f413ec1
`702171adeed3607ee9603ec30ce081411e36ae42`	affected	< f10177e6c4575aedaea580ce67d792fab7a2235e
`702171adeed3607ee9603ec30ce081411e36ae42`	affected	< c703bbf8e9b4947e111c88d2ed09236a6772a471
`702171adeed3607ee9603ec30ce081411e36ae42`	affected	< 1818974e1b5ef200e27f144c8cb8a246420bb54d
`702171adeed3607ee9603ec30ce081411e36ae42`	affected	< 18f75b9cbdc3703f15965425ab69dee509b07785
`702171adeed3607ee9603ec30ce081411e36ae42`	affected	< 1cf469026d4a2308eaa91d04dca4a900d07a5c2e
`702171adeed3607ee9603ec30ce081411e36ae42`	affected	< 2833e13e2b099546abf5d40a483b4eb04ddd1f7b
`702171adeed3607ee9603ec30ce081411e36ae42`	affected	< 38a01c9700b0dcafe97dfa9dc7531bf4a245deff

Linux

affected

Version	Status	Constraints
`2.6.32`	affected	—
`0`	unaffected	< 2.6.32
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[702171adeed3607ee9603ec30ce081411e36ae42,c703bbf8e9b4947e111c88d2ed09236a6772a471)`	affected	code_commit	—
`[702171adeed3607ee9603ec30ce081411e36ae42,1818974e1b5ef200e27f144c8cb8a246420bb54d)`	affected	code_commit	—
`[702171adeed3607ee9603ec30ce081411e36ae42,18f75b9cbdc3703f15965425ab69dee509b07785)`	affected	code_commit	—
`[702171adeed3607ee9603ec30ce081411e36ae42,1cf469026d4a2308eaa91d04dca4a900d07a5c2e)`	affected	code_commit	—
`[702171adeed3607ee9603ec30ce081411e36ae42,2833e13e2b099546abf5d40a483b4eb04ddd1f7b)`	affected	code_commit	—
`[702171adeed3607ee9603ec30ce081411e36ae42,38a01c9700b0dcafe97dfa9dc7531bf4a245deff)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.32`	affected	semver	—
`[0,2.6.32)`	unaffected	generic	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,7.0.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that includes the ems_usb read bulk callback fix
If an immediate upgrade is not possible, disable or unbind the ems_usb driver from unneeded USB devices
Configure SELinux, AppArmor, or similar modules to restrict USB device access
Monitor system logs for abnormal USB activity and set alerts for malformed packets
Ensure USB host controller firmware is up to date to eliminate related weaknesses

Generated by OpenCVE AI on March 26, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1818974e1b5ef200e27f144c8cb8a246420bb54d
https://git.kernel.org/stable/c/18f75b9cbdc3703f15965425ab69dee509b07785
https://git.kernel.org/stable/c/1cf469026d4a2308eaa91d04dca4a900d07a5c2e
https://git.kernel.org/stable/c/2833e13e2b099546abf5d40a483b4eb04ddd1f7b
https://git.kernel.org/stable/c/38a01c9700b0dcafe97dfa9dc7531bf4a245deff
https://git.kernel.org/stable/c/aed172a2e2330131f0977d2acd3ec8883f413ec1
https://git.kernel.org/stable/c/c703bbf8e9b4947e111c88d2ed09236a6772a471
https://git.kernel.org/stable/c/f10177e6c4575aedaea580ce67d792fab7a2235e
https://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23307-60f2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23307
https://www.cve.org/CVERecord?id=CVE-2026-23307

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/aed172a2e2330131f0977d2acd3ec8883f413ec1 https://git.kernel.org/stable/c/f10177e6c4575aedaea580ce67d792fab7a2235e

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-805
References		https://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23307-60f2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23307 https://www.cve.org/CVERecord?id=CVE-2026-23307
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_length which is set by the driver as the max size of the buffer. When parsing the messages in ems_usb_read_bulk_callback() properly check the size both at the beginning of parsing the message to make sure it is big enough for the expected structure, and at the end of the message to make sure we don't overflow past the end of the buffer for the next message.
Title		can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1818974e1b5ef200e27f144c8cb8a246420bb54d https://git.kernel.org/stable/c/18f75b9cbdc3703f15965425ab69dee509b07785 https://git.kernel.org/stable/c/1cf469026d4a2308eaa91d04dca4a900d07a5c2e https://git.kernel.org/stable/c/2833e13e2b099546abf5d40a483b4eb04ddd1f7b https://git.kernel.org/stable/c/38a01c9700b0dcafe97dfa9dc7531bf4a245deff https://git.kernel.org/stable/c/c703bbf8e9b4947e111c88d2ed09236a6772a471

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:02.746Z

Updated: 2026-04-18T08:57:53.252Z

Reserved: 2026-01-13T15:37:45.994Z

Link: CVE-2026-23307

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:26.657

Modified: 2026-04-18T09:16:18.340

Link: CVE-2026-23307

Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23307 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:50:00Z

Weaknesses

CWE-805

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object